November 1, 2011
Security Conference List – Wikipedia Rocks
Wikipedia truly is amazing. Check out the list of worldwide security conferences. This is a great place to look for any professionals wanting to speak or attend a high profile conferences. Definitely a good site to add to my links page.
October 30, 2011
Is Your 3rd Party Provider Secure?
Rogue Russian entities in the advertising industry take millions and the entire company disappears. Poor security programming techniques from offshore entities expose cross site scripting flaws in 50% of the companies websites. In any event more and more security weakness is exposed by the poor practices associated with a vendor, partner, or other third party business entity. These third party entities and the services they provide can cause great exposure resulting in large scale financial problems to the host organization.
What can be done?
Security of third party entities can be accomplished in many ways, but it has to start with the relationship and contracts in place. Once there is a contract then each practice can be broken down. Third party security assessments typically include two main practices. These are:
- Technical Security Testing
- Checklist Validation Assessments
Technical Security Testing usually involves network vulnerability scanning, penetration testing, application testing, and sometimes security configuration reviews. This approach occurs when a third party is contracted to assess the host organization. This is a third party assessment however this situation addresses contracting a third party to perform the assessment. The other focuses on assessing the host organizations third party service providers, not contracting a third party to perform an assessment.
Checklist validation assessments are commonly used for assessing ones service providers. One of the most common used tools for this practice is supplied online by Shared Assessments. The Shared assessments questionnaire and agreed upon procedures guides are used in many different countries around the world. They are very comprehensive and allow for customization if required. The core components that make this tool fantastic for third party risk assessments are:
- Excel based checklist format which can be auto compared against a configured baseline
- Comprehensive list of standard questions that map to some different compliance regulations
The Shared Assessments program has done a good job explaining the tool use and to avoid repeating the information that is clearly explained online the focus will be to explain leveraging the tool to build a third party assessment function in the organization. Building the third party assessment requires some dedicated resource time for the following responsibilities.
- Determining the assessment schedule and prioritization
- Customizing the questionnaires
- Phone and email follow up to third parties
- Onsite review and validation (if applicable based on the assessment type)
- Providing reports to management and third party entities
- Follow up on remediation efforts
Shared Assessments – Useful
Back in 2009 my blog entry was titled “BITS Shared Assessments – Useful or Not”. After several more years and reviewing hundreds of clients it appears this is now the predominantly used assessment practice. Organizations have used the main content and questions then customized and integrated them into formal programs. I still find the validation component one of the weakest links, but in some cases that also falls on the assessor. To help mitigate the risk organizations should be looking at some kind of technical and checklist testing of their entities. Using both of these will help make up for deficiencies in the checklist based approaches.
I encourage others to comment if they have seen different standards for third party assessment especially those around the checklist and validation approach. As today the Shared Assessments appears to still be the number one choice implemented and used based on my experience with other companies.
February 4, 2010
What is the best starting point to embrace risk management?
This is a topic that has generated a great deal of traffic on the Linkedin “Governance, Risk and Compliance Management (GRC) site. If you are a member I recommend you read through the comments, if not you should consider joining. This is a cross post, slightly modified, of my answer to this question, so forgive the double traffic if you are a member.
I was shocked that no one had mentioned the size and financial ability of the company. So this addresses both small and large corporations with and without financial money allocated to security.
If the company is 300 people and has very little money then usually the starting point is convincing management why money needs to be directed towards an assessment versus actually doing something tangible. Therefore, obtaining management support through some shock and awe factor will help get buy in and then you can do a risk assessment. That assessment should provide a roadmap and serve as the strategic plan.
Now if the company is more mature and financially stable, I agree with several of the current comments, which stated some type of RA framework or COSO control framework. Anyway, the typical starting point is conducting some type of strategic risk assessment. Something reviews all of the organizations assets, the threats, and vulnerabilities. This assessment should help start the program by prioritizing based on risk each security effort. From this assessment one of action items, if it doesn’t already exist, should be to put in a control (ISMS) type framework in place.
Once the prioritized roadmap is created and a control structure is in place then these two items can be baselined and measured over time. Also each control area can have individual metrics. As the risk management program grows the next step will be to build a project or application based risk approach in addition to the strategic risk assessment. This focus of this secondary assessment approach is to rapidly assess projects and determine the level of security review required at the project level. Some projects will require more based on their risk (i.e. type of data, etc.).
August 7, 2009
BITS Shared Assessments – Useful or Not
What do you think? Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?
I recently went to the 2nd Annual BITs Shared Assessments in Chicago. http://www.sharedassessments.org/
I found the event driven mostly by product vendors, a few assessment firms, and some footprint from the banking industry. During the time of the event and now I was able to deliver an engagement and as a result of the conference and this delivery I have the following comments.
- Many assessors are using older versions of the SIG and still have not adopted 4.2.
- Product vendors have incorporated many of the features and appear to be pushing the solution the most.
- The current AUP and SIG are fairly decent, but the overall solution still needs to mature greatly. I found that several of the AUPs were incorrect or missing. I have yet to consolidate all my comments; however I emailed the main contact number on the site. Currently comments are submitted one by one. I don’t want to enter them one by one, thus, I haven’t submitted as I’m still waiting for a response after several weeks.
- The current scoping and process for delivery is underestimated. My experience shows that you will have to set strict guidelines with the number of follow up conversations and have a cut off for evidence. Otherwise the entity that is assessed will continue to try and justify they have the appropriate controls in place.
- There are plans for mapping to other compliance regulations. There are many more comments I have about this solution, but mostly I’m seeing customers use only the SIG Light or SIG level 2.
I see this as holding a place in the 3rd party assessment realm for an organization. I’m wondering! Is anyone else using the Shared Assessments? What are your thoughts? Will this solution grow and be used like PCI even though it doesn’t have the formal backing like PCI?
May 19, 2009
More on Staffing and Governance
I been tracking via this blog a good amount of search hits looking for security staffing and governance. Unfortunately when you search there is not much out on the Internet. If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.
For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the Educause updates located here:
Educause Information Security Governance Assessment Tool
For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities. If your interested please let me know and we can get everyone together and create an updated model for multiple industries.
March 19, 2009
Security Survey Polls Added
The polls are open!
While visiting this site please check out the new IS Management page and contribute to the voting polls.
If you would like to see new or different polls added let me know.
January 30, 2009
Authoritative List of Compliance Documents
For anyone looking to find or understand the main key compliance documents across the following industries, regulations, regions of the world the link below has a good list.
http://www.unifiedcompliance.com/matrices/ucf_ad_list.html
Industries, Regulations, Regions:
- Sarbanes Oxley Guidance
- Banking and Finance Guidance
- NASD NYSE Guidance
- Healthcare and Life Science Guidance
- Energy Guidance
- US Federal Security Guidance
- US Internal Revenue Guidance
- Records Management Guidance
- NIST Guidance
- ISO Guidance
- ITIL Guidance
- US Federal Privacy Guidance
- US State Laws Guidance
- EU Guidance
- UK and Canadian Guidance
- Other European and African Guidance
- Asia and Pacific Rim Guidance
- System Configuration Guidance
Also, some of these are already linked off this site. If anyone is feeling like they have some free time feel free to send me links to the listed documents and I will add them to the Links page.
January 12, 2009
Working Toward ISO 17799/27001 Business Continuity Management Compliance
This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.
The first step in compliance is to develop and implement a BCP management process. The process needs to identify the critical business processes within the organization and incorporate management requirements.
Process:
- Identify critical business processes and associated assets. Create a template or leverage the disaster recovery (DR) documentation (Note: The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
- Identify the consequences in the event of a disaster. Again most of this should be in a DR plan.
- Identify controls to reduce risk.
- Ensure information for business operations is available.
- Ensure BCP is integrated within business processes and includes security.
- Ensure that plans are updated and tested on a regular basis.
Below is a sample that can be used and quickly put together to help meet some of this compliance. Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.
The next step is to identity the results of different events by doing a business impact analysis. Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes. Controls that can be put in place to reduce risk should be identified.
The Threat should define “Who”
The Event should define “What, Where, and When”
The table below is an expansion of the above. (Threats are repeated for consistency)
After the assessment the following must be done:
- Continuity plan(s) must be created.
- Roles and responsibilities must be documented. Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
- Procedures and processes must be documented. Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations. A few additional procedures may need to be created like the process of documenting and updating plans.
Plans must have the same framework. This means all departmental plans must be a on a standard template. A centralized escalation and evacuation plan should be developed. Evacuation plans can simply state follow building evacuation procedures. Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.
Plans need to address:
- Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
- Summary pointing to the documents that have recovery procedures for operations. In many cases these procedures are in the disaster recovery area or part of the standard operating function.
- Testing of plans. This needs to track and schedule each element and when its tested.
- Storage of plans at alternate locations
- Ownership of plans
- Fallback procedures
- Resumption procedures
- Awareness and Training
- Review of plan(s)
Putting everything important together is the key to the business continuity plan. Many of the items above exist within many organizations but they have not been organized or consolidated in one area. A document detailing each of these items and consolidating them all in one location is the key to passing the assessment. If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations. In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations. Some assessments will look for both centralized and departmental plans.
For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.
September 10, 2008
IT Security Spending 10% of IT Operating Budget
10% of IT budget seems high. It would be nice if someone provided an industry breakdown. I can’t imagine that certain industries are even close to this number. Resource links to the posting are below.
August 19, 2008
The Top Ten Convention Information Security Measures
The Ten Most Important Things That The CSO Of The Republican and Democratic Conventions Should Be Doing To Ensure The Security of The Event
Overview
In 2004 I had the unique responsibility of being CSO for the Republican convention in NYC. My role was primarily to secure the campaign network and work with the host committee to ensure security of their network. To help those currently in similar positions or involved with other short time events and conventions I complied the top 10 measures that helped keep our environment secure. In no way is this list complete, but the most important items have been listed. This list also does not address obtaining management support or developing security policy, which are two fundamental elements to implementing all of the measures described below.
The Top Ten
The Convention Security Top Ten Security Measures (in no particular order) are:
-
Change Passwords Frequently
-
Implement External Network Filtering
-
Physically Separate Speech Network
-
Change Voice Mail Messages
-
Review User Accounts and Access Lists
-
Create an Incident Response Plan
-
Enforce a no Wireless Policy
-
Implement Intrusion Prevention
-
Implement Disaster Recovery Plan
-
Continually Walk Around and Assess
What makes Convention Security so Different?
-
There is no permanent IT staff, organization, or existing IT documentation.Everything done for the convention is temporary; everything must be taken down and returned a few days after the convention.The project must be completed by the date of the convention. There is no room for failure.Many decisions are based upon political considerations, including the appointment of key IT personnel.IT budget is usually “raised” specifically for this event. In the case of the Democratic and Republican convention all funds are usually dual-approved between Host Committee and Campaign.Political conventions have a major emphasis on IT security: it’s a National Special Security Event (NSSE) (i.e. involves Homeland Security, US Secret Service, FBI, NYPD and CERT).Short timeframe in some cases only 30 to 60 days to install the IT infrastructure in convention sites.No IT Program Management or Project Management structure.
Top Ten Detailed Measures
On the following pages is a description of each security measure with actual real world examples used in the Republican National Convention of 2004.
1. Change Passwords Frequently
Based on my experience passwords are the number one way an attacker will gain access to a computer system. The attacker gets in because the password is either the default supplied by the vendor, blank, easily guessable, written down, or typed in a file on another system. Therefore, change all passwords as often as possible including system accounts, users, mobile devices, firewalls, routers, etc. Don’t wait until the last minute to find out your blackberry servers bsadmin service password is “blackberry”.
Changing passwords at first will be painful for the users, but this is a must for event security due to turn over of employees, use of volunteers, and maintaining control of the systems under management of the security staff. During the week of the convention IT should try not to change any passwords. In fact ALL CHANGES should be frozen during the week of the convention unless there is some emergency.
2. Implement External Network Filtering
Implement external firewall and router ACL filters that exclude every country outside of the US. There are very good lists that can reduce your IPS hits from 100,000s a day to 100s a day.
See my IP black list posting
http://infosecalways.com/2007/11/08/ip-address-blacklist/
3: Physically Separate Speech Network
Usually in a convention there are a series of speeches given by well known individuals. In the 2004 convention there were several important people speaking like Arnold Schwarzenegger, Dick Chaney, and the President George W. Bush. The original network design was setup with the speech network connected to the Host Committee and Campaign network, which were connected to the internet. The worst possible scenario would be hacking the speech system prior to the event or when the actual candidate was talking on live TV. Thus, as a security professional it is important to separate the speech network and make sure there is no way any user on the internet has any chance to connect to these systems.
In the 2004 convention, amazing as it was, the speech server was placed in an Xray room at Madison square garden. With the level of paranoia the fuses were pulled on the Xray machine and a separate pad lock was purchased and put on the door. We called this the red room because the outside had a red Danger sign on the door because of the Xray system and it was in the Red Zone. The only system on that same network was a Cisco network IDS server and only three individuals had access to the room.
This room located was in the Red Zone; the secret service controlled area that restricted access to the under stage and candidate environment. Only four IT staff members had access to this zone. For the 2004 convention the staff that had access was the CIO, the CSO, the Cisco engineer that ran the network cables, and an intern with political connections who administrated the badge system along side the secret service.
4: Change Voice Mail Messages
This has to be one of those hard lessons learned for some of the IT staff at the 2004 convention because several employees were harassed for weeks during the convention as a result of their voice mail messages. Many of the IT staff didn’t use office phones because there were several other means of communication such as cell phones, NextTel click to talk phones, and Blackberry devices.
Social engineering attacks are a very big threat for several months prior to the convention. As CSO you will need to talk to the front desk staff and find out actually how many calls come in. Many of them will come in from the other party (i.e. Democratic Party in this case). The week of the convention the front desk staff was so used to these calls that the majority of them were just transferred to the main desk at the Democratic convention.
The main problem that affected the technology staff was not just the political activists, it was the individuals that listed to voice mail messages and was smart enough to identify the IT staff and then harass them later. In one case we had one specific vendor, who will remain anonymous, that left their company name and cell phone number on the voice mail. When the harassing attack occurred this person was receiving several calls a day on their personal cell phone and ended up contacting the local police who continued the investigation. In the end basically you will have to change your cell phone, so it is important to change all of the technical staff voice messages to avoid social engineering and harassing attacks. Remove names, titles, cell phone numbers, etc. You don’t want your top IT staff getting spammed with calls that essentially DOS their cell phones because they left the number and their title on their office phone.
5: Review User Accounts and Access Lists
Continually review user accounts and access lists to systems, applications, network devices and datacenters frequently. You might be amazed how many volunteers have access and other staff members that no longer work for the convention. This is a must and should be done several times before the event.
6: Create an Incident Response Plan
Create a solid response plan and make sure that CERT (http://www.cert.org/) and the Secret Service are included. Although spam may be your only incident it will be important to have worked out who to call first and who can investigate the incident. During the 2004 convention we came across four items that could be classified as incidents. These were social engineering, DOS attempts, data leakage, and spam.
Social engineering was discussed above in item 4: Change Voice Mail Messages, DOS attempts were targeted at the campaign web site which was externally hosted with an infrastructure capable of the traffic. During setup we performed a site inspection of the third party and required additional technology implemented for preventative measures. Data Leakage occurred and we were notified after it hit the media. The problem turned out to be an internal volunteer that leaked an Excel file of Campaign names to the media. This is always a difficult and costly problem to solve, but in this case the repercussions were small and had little affect other then media coverage. Then our one major incident that we fully enacted the IR plan turned out to be confusion among a spam email that got through the filter and was titled something along the lines of “you’ve been hacked”. It turns out it the message was a spam email for a video tape that some delegate received and thought his system was compromised. Overall the process worked great based on after incident feedback. The process for this is below.
Incident Response Process Flow Example:
Enforce the “need to know” policy. Tell the details of an Incident to the minimum people necessary.
- Initiate the Investigation.
- Can you confirm this is an incident? If yes go to step 5. If no go to step 4.
- Make note on Incident report form and explain that it was not an incident; Go to Step 15.
- Notify the Secret Service.
- Activate the Incident Response Team. Fill out the Incident Report Form (Appendix D).
- Continue Investigation.
- Were systems on the network affected? If yes go to step 9, If no go to step 10
- Notify staff and administrators on affected system(s). If dispatched to a site remember to document location. Go to step 10
- Is there a possibility of criminal action? If yes go to step 11. If no go to step 12.
- Notify the Secret Service and wait for instruction. Do only as they say.
- Contain and/or isolate victim system(s). If this is a virus or worm unplug the system from the network. DO NOT power down the system because some viruses may delete information when the system is rebooted. If it is NOT a virus or worm disconnect the network or do a hard shutdown of the system. DO NOT do a graceful shutdown because valuable information may be lost. Log all actions.
- Notify the Secret Service. Log all actions.
- Return the system to normal operation. Log all actions.
- Incident over. Fill out Incident Report Form (Appendix D). List all actions.
- Hold a short meeting with the Incident Response Team, CERT, and Secret Service to identify the Lessons Learned and adjust the program accordingly. List all actions.
7. Enforce a no Wireless Policy
This is just a simple solution. Wireless is not secure enough, hard to monitor, and should be turned off on every device connected to the network. Make sure that all laptops have the wireless setting disabled too. Only use blackberry and Nextel type devices. You don’t want any one with a wireless card bridging in external networks or something worse.
It’s a hard enough job to ensure that everything is shut down; let alone trying to monitor outsiders connecting to the network. The Secret Service may also block wireless at different time (though they can neither confirm nor deny that!), which may cause disruptions of signals.
During the convention at night when the speeches were being conducted the main job of the CSO and the IT support staff was to simply monitor wireless systems and ensure that no device was connected to our network cables.
8. Implement Intrusion Prevention
Install both network and host intrusion prevention. There will be viruses so this combined with anti-virus will stop propagation. Behavioral based solutions work very well and should be installed on every system. Below is a diagram for the network with the placement of network IDS systems.
- RNC Network
9. Implement Disaster Recovery Plan
Implement redundancy for all equipment and possible circumstances. In most cases communication is the most important item so ensure email and other services are redundant and located offsite.
10. Continually Walk Around and Assess
Check cabling, wiring closets, and wireless access points (that shouldn’t be there) by walking around the facilities regularly and constantly scanning for wireless devices. It’s amazing how many people have access to your wiring closets. Its also amazing when you find water dripping on your cords, so check everything multiple times.
